publications
2024
- WWW’24Discovering and Measuring CDNs Prone to Domain FrontingKarthika Subramani, Roberto Perdisci, Pierros-Christos Skafidas, and 1 more authorIn Proceedings of the ACM on Web Conference 2024, 2024
Domain fronting is a network communication technique that involves leveraging (or abusing) content delivery networks (CDNs) to disguise the final destination of network packets by presenting them as if they were intended for a different domain than their actual endpoint. This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems. Since domain fronting has been known for a few years, some popular CDN providers have implemented traffic filtering approaches to curb its use at their CDN infrastructure. However, it remains unclear to what extent domain fronting has been mitigated.To better understand whether domain fronting can still be effectively used, we propose a systematic approach to discover CDNs that are still prone to domain fronting. To this end, we leverage passive and active DNS traffic analysis to pinpoint domain names served by CDNs and build an automated tool that can be used to discover CDNs that allow domain fronting in their infrastructure. Our results reveal that domain fronting is feasible in 22 out of 30 CDNs that we tested, including some major CDN providers like Akamai and Fastly. This indicates that domain fronting remains widely available and can be easily abused for malicious purposes.
- IEEES&P’24C-FRAME: Characterizing and measuring in-the-wild CAPTCHA attacksH. Nguyen, K. Subramani, B. Acharya, and 2 more authorsIn 2024 IEEE Symposium on Security and Privacy (SP), May 2024
2022
- IMCPhishInPatterns: Measuring Elicited User Interactions at Scale on Phishing WebsitesKarthika Subramani, William Melicher, Oleksii Starov, and 2 more authorsIn Proceedings of the 22nd ACM Internet Measurement Conference, May 2022
Despite phishing attacks and detection systems being extensively studied, phishing is still on the rise and has recently reached an all-time high. Attacks are becoming increasingly sophisticated, leveraging new web design patterns to add perceived legitimacy and, at the same time, evade state-of-the-art detectors and web security crawlers.In this paper, we study phishing attacks from a new angle, focusing on how modern phishing websites are designed. Specifically, we aim to better understand what type of user interactions are elicited by phishing websites and how their user experience (UX) and interface (UI) design patterns can help them accomplish two main goals: i) lend a sense of professionalism and legitimacy to the phishing website, and ii) contribute to evading phishing detectors and web security crawlers. To study phishing at scale, we built an intelligent crawler that combines browser automation with machine learning methods to simulate user interactions with phishing pages and explore their UX and UI characteristics. Using our novel methodology, we explore more than 50,000 phishing websites and make the following new observations: i) modern phishing sites often impersonate a brand (e.g., Microsoft Office), but surprisingly, without necessarily cloning or closely mimicking the design of the corresponding legitimate website; ii) they often elicit personal information using a multi-step (or multi-page) process, to mimic users’ experience on legitimate sites; iii) they embed modern user verification systems (including CAPTCHAs); and ironically, iv) they sometimes conclude the phishing experience by reassuring the user that their private data was not stolen. We believe our findings can help the community gain a more in-depth understanding of how web-based phishing attacks work from a users’ perspective and can be used to inform the development of more accurate and robust phishing detectors.
@inproceedings{10.1145/3517745.3561467, author = {Subramani, Karthika and Melicher, William and Starov, Oleksii and Vadrevu, Phani and Perdisci, Roberto}, title = {PhishInPatterns: Measuring Elicited User Interactions at Scale on Phishing Websites}, year = {2022}, isbn = {9781450392594}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3517745.3561467}, doi = {10.1145/3517745.3561467}, booktitle = {Proceedings of the 22nd ACM Internet Measurement Conference}, pages = {589–604}, numpages = {16}, keywords = {neural networks, captcha, user experience, phishing, crawler}, location = {Nice, France}, series = {IMC '22}, } - PMCPrivacy Invasion via Smart-Home Hub in Personal Area NetworksOmid Setayeshfar, Karthika Subramani, Xingzi Yuan, and 4 more authorsPervasive Mob. Comput., Sep 2022
@article{10.1016/j.pmcj.2022.101675, author = {Setayeshfar, Omid and Subramani, Karthika and Yuan, Xingzi and Dey, Raunak and Hong, Dezhi and Kim, In Kee and Lee, Kyu Hyung}, title = {Privacy Invasion via Smart-Home Hub in Personal Area Networks}, year = {2022}, issue_date = {Sep 2022}, publisher = {Elsevier Science Publishers B. V.}, address = {NLD}, volume = {85}, number = {C}, issn = {1574-1192}, url = {https://doi.org/10.1016/j.pmcj.2022.101675}, doi = {10.1016/j.pmcj.2022.101675}, journal = {Pervasive Mob. Comput.}, month = sep, numpages = {16}, keywords = {Smart home security, Smart home hub, Personal area network security}, } - EUROSPSoK: Workerounds - Categorizing Service Worker Attacks and MitigationsKarthika Subramani, Jordan Jueckstock, Alexandros Kapravelos, and 1 more authorIn 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), Sep 2022
@inproceedings{9797352, author = {Subramani, Karthika and Jueckstock, Jordan and Kapravelos, Alexandros and Perdisci, Roberto}, booktitle = {2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)}, title = {SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations}, year = {2022}, volume = {}, number = {}, pages = {555-571}, doi = {10.1109/EuroSP53844.2022.00041}, }
2021
- DIMVADetecting and Measuring In-The-Wild DRDoS Attacks at IXPsKarthika Subramani, Roberto Perdisci, and Maria KonteIn Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, DIMVA 2021, Virtual Event, July 14–16, 2021, Proceedings, Sep 2021
Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3 Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3 Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated.In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim’s network bandwidth.
@inproceedings{10.1007/978-3-030-80825-9_3, author = {Subramani, Karthika and Perdisci, Roberto and Konte, Maria}, title = {Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs}, year = {2021}, isbn = {978-3-030-80824-2}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, url = {https://doi.org/10.1007/978-3-030-80825-9_3}, doi = {10.1007/978-3-030-80825-9_3}, booktitle = {Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, DIMVA 2021, Virtual Event, July 14–16, 2021, Proceedings}, pages = {42–67}, numpages = {26}, keywords = {IXP, DDoS attack, Traffic analysis, DRDoS attack}, } - SMARTCOMPChatterHub: Privacy Invasion via Smart Home HubOmid Setayeshfar, Karthika Subramani, Xingzi Yuan, and 4 more authorsIn 2021 IEEE International Conference on Smart Computing (SMARTCOMP), Sep 2021
@inproceedings{9556231, author = {Setayeshfar, Omid and Subramani, Karthika and Yuan, Xingzi and Dey, Raunak and Hong, Dezhi and Lee, Kyu Hyung and Kim, In Kee}, booktitle = {2021 IEEE International Conference on Smart Computing (SMARTCOMP)}, title = {ChatterHub: Privacy Invasion via Smart Home Hub}, year = {2021}, volume = {}, number = {}, pages = {181-188}, doi = {10.1109/SMARTCOMP52413.2021.00045}, }
2020
- IMCWhen Push Comes to Ads: Measuring the Rise of (Malicious) Push AdvertisingKarthika Subramani, Xingzi Yuan, Omid Setayeshfar, and 3 more authorsIn Proceedings of the ACM Internet Measurement Conference, Sep 2020
The rapid growth of online advertising has fueled the growth of ad-blocking software, such as new ad-blocking and privacy-oriented browsers or browser extensions. In response, both ad publishers and ad networks are constantly trying to pursue new strategies to keep up their revenues. To this end, ad networks have started to leverage the Web Push technology enabled by modern web browsers. As web push notifications (WPNs) are relatively new, their role in ad delivery has not yet been studied in depth. Furthermore, it is unclear to what extent WPN ads are being abused for malvertising (i.e., to deliver malicious ads). In this paper, we aim to fill this gap. Specifically, we propose a system called PushAdMiner that is dedicated to (1) automatically registering for and collecting a large number of web-based push notifications from publisher websites, (2) finding WPN-based ads among these notifications, and (3) discovering malicious WPN-based ad campaigns.Using PushAdMiner, we collected and analyzed 21,541 WPN messages by visiting thousands of different websites. Among these, our system identified 572 WPN ad campaigns, for a total of 5,143 WPN-based ads that were pushed by a variety of ad networks. Furthermore, we found that 51% of all WPN ads we collected are malicious, and that traditional ad-blockers and URL filters were mostly unable to block them, thus leaving a significant abuse vector unchecked.
@inproceedings{10.1145/3419394.3423631, author = {Subramani, Karthika and Yuan, Xingzi and Setayeshfar, Omid and Vadrevu, Phani and Lee, Kyu Hyung and Perdisci, Roberto}, title = {When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising}, year = {2020}, isbn = {9781450381383}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3419394.3423631}, doi = {10.1145/3419394.3423631}, booktitle = {Proceedings of the ACM Internet Measurement Conference}, pages = {724–737}, numpages = {14}, location = {Virtual Event, USA}, series = {IMC '20}, }